Sign up for a customized personal demo with an AirTight expert.
Understanding Viral SSIDs
The term Viral SSID has started to emerge across media as a potent security threat for WiFi computers. However, the current understanding of the causes and implications of this phenomenon is unclear. This article demystifies the concept of viral SSIDs.
What is a viral SSID?
Like a virus spreads from an infected host to a healthy host infecting the latter, a viral SSID spreads from an infected wireless-enabled computer to another. Technically, a viral SSID is the network name (SSID) of an ad-hoc or peer-to-peer network connected over WiFi. In contrast, the non-viral SSIDS are the network names of the infrastructure networks (comprising of Access Points that a WiFi client can connect to).
How does a viral SSID spread?
The spread of a viral SSID can primarily be attributed to the wireless auto configuration utility in the current laptops. Whenever a user connects to wireless network, its SSID is added in a list of known network names. In windows machines, this list is called the Preferred Network List (PNL). This list includes the viral SSIDs to which a user may have connected. In fact, a user need not manually connect to a viral SSID for it to be added to the list. In certain auto-configuration utilities, there are options where a user can choose to connect to any network in vicinity (be it infrastructure or ad-hoc).
When the user moves to a different location and starts the computer, the wireless auto configuration utility tries to look for the SSIDs stored in the PNL. When it doesn’t find any infrastructure networks mentioned in the list in its neighborhood, it starts looking for ad-hoc networks stored in the PNL. If it does find one, it connects to the host advertising the corresponding SSID. However, if it does not, it becomes the first node of that ad-hoc network and starts advertising the viral SSID.
If an unsuspecting healthy laptop is searching for wireless networks in vicinity, it will see the advertised viral SSID in its list. If the laptop is configured to connect to any wireless network as it comes in range, it will attach itself to the corresponding network. The connection can also be made when an unsuspecting user manually connects to an advertised viral SSID. As soon as this connection is made, the viral SSID appears in the PNL of the healthy laptop and it gets infected.
Note that while we have explained this behavior from the perspective of a windows machine, any auto configuration utility which advertises or searches for ad-hoc networks can spread viral SSIDs.
Are they real?
An obvious doubt that you may have is that well theoretically all this is possible. But do we know if they exist in the world? The answer to this question is a resounding yes!
Studies have shown that several viral SSIDs are showing up in different places in the world. If you open the “Available Wireless Networks” in a windows laptop in a public setting, irrespective of your location, you are very likely to come across one or more viral SSIDs. If you see the SSIDs “Free Public WiFi”, “hpsetup”, “default”, etc., chances are that these SSIDs are viral. In fact, in one of our recent studies across 11 airports in USA and Canada, we found viral SSIDs at 10 of them and that too while scanning the environment for only 5 minutes at each airport.
Moreover, as an evidence of the viral SSIDs spreading, we found that the same SSIDs show up at different airports. “Free Public WiFi” showed up at several airports. Click here more information about the airport vulnerability assessment study.
Where did they come from?
While viral SSIDs spread from host to host, where did the first one come from? This question is more intriguing when we consider that we have SSIDs corresponding to the default SSID setting from various AP vendors appear as a viral SSID, e.g., “linksys”, “default”, “hpsetup” have been observed as viral SSIDs in different places whereas these are the default SSID names that different vendors use for their APs.
These SSIDs appear both as infrastructure network names as well as viral SSIDs. It is plausible to imagine an auto-configuration utility that puts a wireless card in ad-hoc mode with the same SSID as the infrastructure mode, when the corresponding AP is not found. Thus, the standard AP names started being advertised as viral SSIDs. On the other extreme, these viral SSIDs could have been deliberately created by malicious intent where the attackers knew that the clients would auto-connect to this SSID if they didn’t find any infrastructure SSID with that name. Furthermore, using common names for viral SSIDs may be a social engineering tactic knowing that users are more likely to manually connect to known network names than unknown ones.
Why should I care?
If your machine is searching for a viral SSID, an attacker can setup his/her machine to advertise that viral SSID and connect to your machine. The same is true if your machine is advertising it. Once the connection is made, the attacker can use a plethora of exploits.
The mildest form of attack could be stealing information from your hard disk. The attacker can also become a man-in-the-middle routing all your Internet traffic through itself and observing/modifying all your data. Your passwords can be stolen using this attack.
A more potent attack involves, the attacker utilizing the ad-hoc connection to infect your machine with a trojan that would open up a backdoor into your corporate network. Rather than undergoing the tough task of penetrating the stringent corporate network (potentially consisting of a network firewall and a network intrusion prevention system among other measures), the attacker simply penetrates a mobile host and lets that host go back behind the corporate security wall to provide the backdoor entrance.
What should I do to remain protected?
Disable auto-connection or advertisement for ad-hoc networks in your wireless auto configuration utility. This behavior is default in Windows Vista. In windows XP, ensure that you have selected the “Access point (infrastructure) network only” in the “Advanced” configuration of Wireless Network Connection Properties.
If you need to connect to a peer device, make sure of the identity of the peer device before connecting. If you ever do connect to such a network, clear it from your PNL after you are done.